Sunday, April 21, 2013

De-obfuscating Malware (Subtracting Hex)

Recently I came across some webpages that were referring to the Redkit malware.  The page that I was directed to contained some javascript like the following:

!40!12!f!25!25!25!25!25!25!25!25!69!74!68!7a!72
!6a!73!79!33!6c!6a!79!4a!71!6a!72!6a!73!79!47!7e
!4e!69!2d!2c!76

Then I noticed in the javascript that it was subtracting 5 from the hex values after the !40 was converted to a hex value.

So I built this quick python script to convert the hex to decimal subtract 5 and then back to hex. (I also noticed another webpage variation that would subtract 7)

#!/usr/bin/env python

ins = open("temp", "r")
array = []
for line in ins:
    print hex(int(line, 16) - 5)


Then I used the hex to ASCII converter to pull the websites out that I was interested in seeing that were being obfuscated.


No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...